PacketFence v11.2 released

February 23, 2022

The Inverse team is pleased to announce the immediate availability of PacketFence v11.2 - a major release bringing many improvements!

TIP OpenWiFi Integration

PacketFence v11.2 now directly integrates with TIP OpenWiFi. TIP OpenWiFi access points are now natively supported network/switch devices in PacketFence with the ability to provision out-of-band subscriber service networks, IoT networks and secured networks.

Kandji MDM Support

PacketFence v11.2 sees its device management (MDM) integration nicely enhanced with the addition of Kandji. This next-generation and Cloud-based MDM allows you to centrally manage and secure your Mac, iPhone, iPad, and Apple TV devices while PacketFence can make sure the agents are correctly installed during the onboarding process.

Automated Integration Tests

More automated tests were added in PacketFence v11.2 through Venom. More specifically, integration tests were added for Fingerbank integration, inline L2/L3 deployment, firewall SSO, CLI for NAS logins and for the captive portal. These extend the automated tests coverage in PacketFence further to ensure greater quality and stability for each new release and help us continue our effort to shorten the time between releases.

… and more!

PacketFence v11.2 provides additional important improvements such as floating devices support for Brocade/Ruckus switches, role-base access for VPNs, an ISO-based Debian 11 installer and much more.

What’s Coming Up in v12

We’re excited for the upcoming PacketFence v12 release later in 2022! This upcoming release will include more new visualization capabilities around asset discovery and threat detection, services containerization, increased integration with MDM/EDR/XDR solutions and better deployment options on public Cloud providers for infrastructure-less and Cloud-first organizations. Stay tuned and follow us on Twitter for progress reports!

Here’s the complete list of changes included in this release:

New Features

• Added MAB floating device support to Ruckus/Brocade switches (#6774)
• Support for roles in VPN access
• Allow to centralize the virtual IPs on the same server (#6853)
• Added support for Kandji MDM as a provisioner
• OpenWiFi switch module
• Allow to manage devices (unregister) when reaching max nodes (#6860)
• ISO installer based on Debian 11 (#6803)

Enhancements

• Allow Meraki::MR_v2 module to be able to use a RADIUS Disconnect instead of only a RADIUS CoA
• Simplify local development of Venom tests (#6711)
• Integration tests on Fingerbank (#6725, #6786, #6798, #6816)
• Integration tests on captive portal (#6744)
• Integration tests for CLI login (#6783)
• Upgrade to Venom 1.0.0 (#6775)
• Upload logs of tests (#6784)
• Management of TLS minimum and maximum versions in GUI (#6773)
• Integration tests for Inline L2 and L3 (#6769)
• Drastically improved the performance of the Ruckus unbound DPSK implementation (#6817)
• Added an admin action to allow RADIUS Probe requests
• Allow access to the Status/Node Manager/Device Registration pages on SAML auth.
• Give each monitoring script a maximum of 10 seconds to run (#6828)
• Resign CA feature in PKI (#6770)
• Allow to download any certificates without private key using a button (#6778)
• Fixes date format of the PKI SQL tables (#6823)
• Use the Digest of the profile on SCEP request (#6823)
• Improve CLI login support on Ubiquiti Edge switches (#6727)
• Expose the open locationlog as a variable to switch templates.
• Improve the speed on the node online query.
• Message portal module can be used without the portal template.
• The ip6tables rules are now managed by PacketFence (#6836)
• Certificate signing requests created via the admin interface now include a Subject Alternative Name (SAN)
• The Subject Alternative Names of a certificate are now displayed in the admin interface
• SSL Certificates - RADIUS / HTTPs page Simple GUI Enhancements (wording clarification) (#6613)
• New mysql-probe service to monitor haproxy-db backends
• Allow to add environment overrides to Fingerbank collector via the config (#6854)
• Change the behavior of pf::condition::not_equal to always succeed when match value is undef
• Allow to renew certificate X days before the expiration date
• Send email X days before the expiration date to the user email/ profile email / administrator
• PKI CN provides certificate for the same CN but for different profiles (profile name added in Subject)
• Auto-revoke certificate if expired
• PKI actions are now logged to the admin API audit log
• Reduce list of accepted ciphers in haproxy-portal and haproxy-admin to reinforce security
• Improved the performance of the bandwidth accounting cleanup process (#6850)
• Purge binary logs task
• Integration tests for firewall SSO (HTTPS/RADIUS) (#6822)
• Add text warning on unreg date when past date is used (#6871)
• Add an option to sync a single ConfigStore storage in the bin/cluster/sync tool (#6904)
• Updated PayPal integration documentation
• Match expected administration rules for web admin and sponsor login (#3631)

Bug Fixes

• Reply to Windows devices configured through Intune even if they requested a non-existing URL (#6687)
• Add RADIUS audit log entry in correct tenant when switches are defined by MAC address (#6540)
• Fixed issue with edition of PKI template (#6713)
• Fixed issue on PKI template save (#6749)
• Fixed issue on PKI templates can be modified by a SCEP request (#6751)
• Fixed issue with PKI From value when sending certificate by email (#6370)
• Fixed documentation for Huawei (PR #6692)
• Fixed issue when pulling the wrong certificate only based on the cn (#5861)
• Fixed regression in the Unifi module for deauthentication of webauth clients when the APs are defined using an IP or CIDR in the configuration (#6686)
• Fixed revoke certificate on unregistration (#6826)
• Send certificates by email using alerting settings (#5917)
• Validate email format on TLS Enrollment form
• Fixed issue where portal could apply actions from different auth rules (#6896)
• Handle DBI library ping call dying in pfconfig MySQL backend (#6895)

See the complete list of changes and the upgrade guide file for notes about upgrading.

This release is considered ready for production use and upgrading from previous versions is strongly advised.